06-10-2013 05:50 PM - edited 03-11-2019 06:55 PM
don't have an ASA to test this at the moment so I have to ask.
I have a checkpoint firewall with only two interfaces, internal and external. Internal interface has an ip address of 192.168.1.254/24. External interface has an IP address of 1.1.1.254/24. On the internal facing side, I have two linux hosts linux1 (192.168.1.1/24) and linux2 (192.168.1.2). Both of the linux hosts have static NAT to public ip address as follows:
linux1 192.168.1.1 static NAT to 1.1.1.1
linux2 192.168.1.2 static NAT to 1.1.1.2
Now here is my issue:
host linux1 must be able to communicate with host linux2 using public IP address. In other host linux1 must be able to telnet to host linux2 public IP address of 1.1.1.2. In other words, from host linux1, I must be able to "telnet 1.1.1.2" and see a login prompt.
On the Checkpoint firewall, I can easily accomplish this by using hiding the source IP address of 192.168.1.1/24 to the firewall Interface of 1.1.1.254 and then translate the destination of 1.1.1.2 to 192.168.1.2. Very easy and it works.
How do I go about doing this with the ASA WITHOUT using DNS server (i.e. implementing alias)?
Thanks in advance
06-10-2013 08:57 PM
You are looking for the U-turning configuration setup ,
If DNS doctoring is out of the picture that's ur only option,
Regards,
Julio
06-10-2013 09:12 PM
David,
If you need to access the servers by using their Public IP, you can apply the following NAT:
-8.2
static (inside,inside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255
static (inside,inside) 1.1.1.2 192.168.1.2 netmask 255.255.255.255
same security traffic permit intra-interface
+8.3
object network obj-1.1.1.1
host 1.1.1.1
object network obj-192.168.1.1
host 192.168.1.1
object network obj-1.1.1.2
host 1.1.1.1
object network obj-192.168.1.2
host 192.168.1.1
nat (inside,inside) source static any any destination obj-1.1.1.2 obj-192.168.1.2 no-proxy-arp
nat (inside,inside) source static any any destination obj-1.1.1.1 obj-192.168.1.1 no-proxy-arp
same security traffic permit intra-interface
This will tell the ASA to translate the packets with a destination of 1.1.1.x to 192.168.1.x.
Hope this helps.
Please rate if you find it useful.
-Eddy Duran
06-11-2013 01:11 PM
Hello David,
I just created this document:
https://supportforums.cisco.com/docs/DOC-34107
I think this might help U and the rest of the community ,
Regards
06-12-2013 07:08 PM
your document and setup requires DNS server. What happened when DNS server is not available?
06-12-2013 07:58 PM
Then U use the second option,
The U-turning one (of course youre aplication should be already aware that in order to connect to the other box it will need to use the Public IP address) which I think it's already like that.
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
06-14-2013 08:55 AM
Hello David,
Do u have any other question?
Otherwise u can mark the question as answered
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide